Wednesday, May 1, 2013

ZeroAccess Network detection

If you are into NIDS you probably want
to look into detecting ZeroAccess traffic on your network. It is
still spreading and infecting computers through exploit kits.
F-Secure said it was the most profitable and fastest growing botnet
of 2012. In addition, not all NIDS vendors have signatures to detect this
by default configuration.

ZeroAccess is not the worst thing to
get on your network, but you never know when that is going to change
or what other bad stuff is on your vulnerable hosts. And, of course,
we do not want these guys to earn money on our watch.

1. Detect the installation

Detecting the installation phase of the
bot is nice as we can then also look into the infection mechanism and
aslo see what the host was vulnerable to and fix it.

During the installation the bot talks
to a set of hardcoded addresses on UDP port 123 and UDP port 53.
(camouflaging as NTP and DNS). The port 53 traffic is distinctive as
the UDP payload byte 8-9 are the country code after a geoIP lookup to
maxmind. This is NSCount if it was DNS traffic, so by looking up
country codes here we should have little chance for False Positives.
One problem though the UDP payload is XORED so we need to find the
corect country code.

Luckily I have made a script to
generate the correct hex values:

So all we have to do then is create a
signature that detects UDP port 53 traffic that has byte 8-9 set to
our local country code. That should not hit performance to bad either.
Alert for ZeroaAccess installation detected.

The UDP 123 traffic can be detected
pretty much tha same way. UDP payload byte 0-1 will be 0x474e and the
followeb by country code again. Once again XORED so we need to
generate our country code:

Alert for ZeroAccess bot installation
complete with UDP port 123 and the bytes given above that is correct
for your environment.

That should reliably detect ZeroAccess
installations.

2. Detect P2P update traffic

When the bot is up and running and want
to keep its P2P list up to date it talks to ZeroAccess supernodes on
UDP port 16464, 16465, 16470 or 16471. As we remember from the
analysis it will be asking for P2P lists with the command getL. This
is XORED with a different key but the values are static so we can
simply just look for them in the packet.

Lets add that to the ports and we
should be hitting bullseye with this signature as well. UDP payload
byte 4-7 should look like 0x28948dab. Alert on ZeroAccess P2P
activity.

That should take care of the
installation part and update parts of the ZeroAccess bot.